diff options
author | unknown <serg@serg.mylan> | 2005-03-03 19:51:29 +0100 |
---|---|---|
committer | unknown <serg@serg.mylan> | 2005-03-03 19:51:29 +0100 |
commit | 70e24138dca5bc24c626b3d5aadf9dd390304436 (patch) | |
tree | 6a871c4d1335ae125f6cd13af89645ec25365e37 | |
parent | f40d2cd62b889b5d35da7e0047fccb49e781c4bf (diff) | |
download | mariadb-git-70e24138dca5bc24c626b3d5aadf9dd390304436.tar.gz |
Fixes for bugs reported by Stefano Di Paola (stefano.dipaola@wisec.it)
include/my_global.h:
O_NOFOLLOW
isam/create.c:
create table files with O_EXCL|O_NOFOLLOW
merge/mrg_create.c:
create table files with O_EXCL|O_NOFOLLOW
myisam/mi_create.c:
create files of temporary tables with O_EXCL|O_NOFOLLOW
myisammrg/myrg_create.c:
create table files with O_EXCL|O_NOFOLLOW
mysys/mf_tempfile.c:
create temporary files with O_EXCL|O_NOFOLLOW
sql/ha_myisam.cc:
let mi_create know if the table is TEMPORARY
sql/mysql_priv.h:
--allow_suspicious_udfs
sql/mysqld.cc:
--allow_suspicious_udfs
sql/share/english/errmsg.txt:
typo
sql/sql_udf.cc:
--allow_suspicious_udfs
don't allow xxx() udf without any of xxx_init/deinit/add/reset
check paths when loading from mysql.func
sql/table.cc:
create frm of temporary table with O_EXCL|O_NOFOLLOW
-rw-r--r-- | include/my_global.h | 3 | ||||
-rw-r--r-- | isam/create.c | 5 | ||||
-rw-r--r-- | merge/mrg_create.c | 2 | ||||
-rw-r--r-- | myisam/mi_create.c | 16 | ||||
-rw-r--r-- | myisammrg/myrg_create.c | 2 | ||||
-rw-r--r-- | mysys/mf_tempfile.c | 8 | ||||
-rw-r--r-- | sql/ha_myisam.cc | 18 | ||||
-rw-r--r-- | sql/mysql_priv.h | 2 | ||||
-rw-r--r-- | sql/mysqld.cc | 11 | ||||
-rw-r--r-- | sql/share/english/errmsg.txt | 2 | ||||
-rw-r--r-- | sql/sql_udf.cc | 98 | ||||
-rw-r--r-- | sql/table.cc | 6 |
12 files changed, 114 insertions, 59 deletions
diff --git a/include/my_global.h b/include/my_global.h index 6871dfbf6c6..0d6f52a3376 100644 --- a/include/my_global.h +++ b/include/my_global.h @@ -500,6 +500,9 @@ typedef SOCKET_SIZE_TYPE size_socket; #ifndef O_SHORT_LIVED #define O_SHORT_LIVED 0 #endif +#ifndef O_NOFOLLOW +#define O_NOFOLLOW 0 +#endif /* #define USE_RECORD_LOCK */ diff --git a/isam/create.c b/isam/create.c index 4c23f3edd11..204d3157d00 100644 --- a/isam/create.c +++ b/isam/create.c @@ -58,13 +58,14 @@ int nisam_create(const char *name,uint keys,N_KEYDEF *keyinfo, base_pos=512; /* Enough for N_STATE_INFO */ bzero((byte*) &share,sizeof(share)); if ((file = my_create(fn_format(buff,name,"",N_NAME_IEXT,4),0, - O_RDWR | O_TRUNC,MYF(MY_WME))) < 0) + O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0) goto err; errpos=1; VOID(fn_format(buff,name,"",N_NAME_DEXT,2+4)); if (!(flags & HA_DONT_TOUCH_DATA)) { - if ((dfile = my_create(buff,0,O_RDWR | O_TRUNC,MYF(MY_WME))) < 0) + if ((dfile = my_create(buff,0,O_RDWR | O_EXCL | O_NOFOLLOW, + MYF(MY_WME))) < 0) goto err; errpos=2; } diff --git a/merge/mrg_create.c b/merge/mrg_create.c index d55a1421647..3508b7967f4 100644 --- a/merge/mrg_create.c +++ b/merge/mrg_create.c @@ -33,7 +33,7 @@ int mrg_create(const char *name, const char**table_names) errpos=0; if ((file = my_create(fn_format(buff,name,"",MRG_NAME_EXT,4),0, - O_RDWR | O_TRUNC,MYF(MY_WME))) < 0) + O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0) goto err; errpos=1; if (table_names) diff --git a/myisam/mi_create.c b/myisam/mi_create.c index 99e9ca5ba5f..d07179f1799 100644 --- a/myisam/mi_create.c +++ b/myisam/mi_create.c @@ -37,7 +37,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs, { register uint i,j; File dfile,file; - int errpos,save_errno; + int errpos,save_errno, create_mode= O_RDWR | O_TRUNC; myf create_flag; uint fields,length,max_key_length,packed,pointer, key_length,info_length,key_segs,options,min_key_length_skipp, @@ -174,7 +174,10 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs, min_pack_length+=varchar_length+2*varchar_count; } if (flags & HA_CREATE_TMP_TABLE) + { options|= HA_OPTION_TMP_TABLE; + create_mode|= O_EXCL | O_NOFOLLOW; + } if (flags & HA_CREATE_CHECKSUM || (options & HA_OPTION_CHECKSUM)) { options|= HA_OPTION_CHECKSUM; @@ -508,9 +511,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs, create_flag=MY_DELETE_OLD; } - if ((file= my_create_with_symlink(linkname_ptr, - filename, - 0, O_RDWR | O_TRUNC, + if ((file= my_create_with_symlink(linkname_ptr, filename, 0, create_mode, MYF(MY_WME | create_flag))) < 0) goto err; errpos=1; @@ -521,7 +522,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs, if (share.base.raid_type) { (void) fn_format(filename,name,"",MI_NAME_DEXT,2+4); - if ((dfile=my_raid_create(filename,0,O_RDWR | O_TRUNC, + if ((dfile=my_raid_create(filename, 0, create_mode share.base.raid_type, share.base.raid_chunks, share.base.raid_chunksize, @@ -544,9 +545,8 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs, linkname_ptr=0; create_flag=MY_DELETE_OLD; } - if ((dfile= - my_create_with_symlink(linkname_ptr, filename, - 0,O_RDWR | O_TRUNC, + if ((dfile= + my_create_with_symlink(linkname_ptr, filename, 0, create_mode, MYF(MY_WME | create_flag))) < 0) goto err; } diff --git a/myisammrg/myrg_create.c b/myisammrg/myrg_create.c index 5fc3c60ff32..7ddb7ecb3b9 100644 --- a/myisammrg/myrg_create.c +++ b/myisammrg/myrg_create.c @@ -34,7 +34,7 @@ int myrg_create(const char *name, const char **table_names, errpos=0; if ((file = my_create(fn_format(buff,name,"",MYRG_NAME_EXT,4),0, - O_RDWR | O_TRUNC,MYF(MY_WME))) < 0) + O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0) goto err; errpos=1; if (table_names) diff --git a/mysys/mf_tempfile.c b/mysys/mf_tempfile.c index ca9912d9210..c84222ba77f 100644 --- a/mysys/mf_tempfile.c +++ b/mysys/mf_tempfile.c @@ -70,7 +70,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix, { strmake(to,res,FN_REFLEN-1); (*free)(res); - file=my_create(to,0, mode, MyFlags); + file=my_create(to,0, mode | O_EXCL | O_NOFOLLOW, MyFlags); } environ=old_env; } @@ -81,7 +81,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix, { strmake(to,res,FN_REFLEN-1); (*free)(res); - file=my_create(to, 0, mode, MyFlags); + file=my_create(to, 0, mode | O_EXCL | O_NOFOLLOW, MyFlags); } #elif defined(HAVE_MKSTEMP) && !defined(__NETWARE__) { @@ -143,7 +143,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix, strmake(to,res,FN_REFLEN-1); (*free)(res); file=my_create(to,0, - (int) (O_RDWR | O_BINARY | O_TRUNC | + (int) (O_RDWR | O_BINARY | O_TRUNC | O_EXCL | O_NOFOLLOW | O_TEMPORARY | O_SHORT_LIVED), MYF(MY_WME)); @@ -186,7 +186,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix, } (void) strmov(end_pos,TMP_EXT); file=my_create(to,0, - (int) (O_RDWR | O_BINARY | O_TRUNC | + (int) (O_RDWR | O_BINARY | O_TRUNC | O_EXCL | O_NOFOLLOW | O_TEMPORARY | O_SHORT_LIVED), MYF(MY_WME)); } diff --git a/sql/ha_myisam.cc b/sql/ha_myisam.cc index d79ea4adda0..cf2d8e32e0a 100644 --- a/sql/ha_myisam.cc +++ b/sql/ha_myisam.cc @@ -1052,7 +1052,7 @@ int ha_myisam::create(const char *name, register TABLE *table_arg, HA_CREATE_INFO *info) { int error; - uint i,j,recpos,minpos,fieldpos,temp_length,length; + uint i,j,recpos,minpos,fieldpos,temp_length,length, create_flags; bool found_real_auto_increment=0; enum ha_base_keytype type; char buff[FN_REFLEN]; @@ -1224,17 +1224,21 @@ int ha_myisam::create(const char *name, register TABLE *table_arg, create_info.data_file_name= info->data_file_name; create_info.index_file_name=info->index_file_name; + if (info->options & HA_LEX_CREATE_TMP_TABLE) + create_flags|= HA_CREATE_TMP_TABLE; + if (options & HA_OPTION_PACK_RECORD) + create_flags|= HA_PACK_RECORD; + if (options & HA_OPTION_CHECKSUM) + create_flags|= HA_CREATE_CHECKSUM; + if (options & HA_OPTION_DELAY_KEY_WRITE) + create_flags|= HA_CREATE_DELAY_KEY_WRITE; + /* TODO: Check that the following fn_format is really needed */ error=mi_create(fn_format(buff,name,"","",2+4), table_arg->keys,keydef, (uint) (recinfo_pos-recinfo), recinfo, 0, (MI_UNIQUEDEF*) 0, - &create_info, - (((options & HA_OPTION_PACK_RECORD) ? HA_PACK_RECORD : 0) | - ((options & HA_OPTION_CHECKSUM) ? HA_CREATE_CHECKSUM : 0) | - ((options & HA_OPTION_DELAY_KEY_WRITE) ? - HA_CREATE_DELAY_KEY_WRITE : 0))); - + &create_info, create_flags); my_free((gptr) recinfo,MYF(0)); DBUG_RETURN(error); diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h index cbbf3b843d3..6281b64bc5e 100644 --- a/sql/mysql_priv.h +++ b/sql/mysql_priv.h @@ -728,7 +728,7 @@ extern my_bool opt_sql_bin_update, opt_safe_user_create, opt_no_mix_types; extern my_bool opt_safe_show_db, opt_local_infile; extern my_bool opt_slave_compressed_protocol, use_temp_pool; extern my_bool opt_readonly, lower_case_file_system; -extern my_bool opt_enable_named_pipe, opt_sync_frm; +extern my_bool opt_enable_named_pipe, opt_sync_frm, opt_allow_suspicious_udfs; extern MYSQL_LOG mysql_log,mysql_update_log,mysql_slow_log,mysql_bin_log; extern FILE *bootstrap_file; diff --git a/sql/mysqld.cc b/sql/mysqld.cc index f104e461d6a..9fd82cf21fa 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -302,7 +302,7 @@ static pthread_t select_thread; static my_bool opt_noacl=0, opt_bootstrap=0, opt_myisam_log=0; my_bool opt_safe_user_create = 0, opt_no_mix_types = 0; my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0; -my_bool opt_log_slave_updates= 0, opt_console= 0; +my_bool opt_log_slave_updates= 0, opt_console= 0, opt_allow_suspicious_udfs; my_bool opt_readonly = 0, opt_sync_bdb_logs, opt_sync_frm; volatile bool mqh_used = 0; @@ -3525,7 +3525,7 @@ enum options_mysqld { OPT_BDB_MAX_LOCK, OPT_ERROR_LOG_FILE, OPT_DEFAULT_WEEK_FORMAT, - OPT_RANGE_ALLOC_BLOCK_SIZE, + OPT_RANGE_ALLOC_BLOCK_SIZE, OPT_ALLOW_SUSPICIOUS_UDFS, OPT_QUERY_ALLOC_BLOCK_SIZE, OPT_QUERY_PREALLOC_SIZE, OPT_TRANS_ALLOC_BLOCK_SIZE, OPT_TRANS_PREALLOC_SIZE, OPT_SYNC_FRM, OPT_BDB_NOSYNC @@ -3538,6 +3538,13 @@ struct my_option my_long_options[] = { {"ansi", 'a', "Use ANSI SQL syntax instead of MySQL syntax", 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}, + {"allow-suspicious-udfs", OPT_ALLOW_SUSPICIOUS_UDFS, + "Allows to use UDF's consisting of only one symbol xxx() " + "without corresponing xxx_init() or xxx_deinit(). That also means " + "that one can load any function from any library, for example exit() " + "from libc.so", + (gptr*) &opt_allow_suspicious_udfs, (gptr*) &opt_allow_suspicious_udfs, + 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, {"basedir", 'b', "Path to installation directory. All paths are usually resolved relative to this.", (gptr*) &mysql_home_ptr, (gptr*) &mysql_home_ptr, 0, GET_STR, REQUIRED_ARG, diff --git a/sql/share/english/errmsg.txt b/sql/share/english/errmsg.txt index 796751210dc..cfd878195ac 100644 --- a/sql/share/english/errmsg.txt +++ b/sql/share/english/errmsg.txt @@ -141,7 +141,7 @@ "No paths allowed for shared library", "Function '%-.64s' already exist", "Can't open shared library '%-.64s' (errno: %d %-.64s)", -"Can't find function '%-.64s' in library'", +"Can't find function '%-.64s' in library", "Function '%-.64s' is not defined", "Host '%-.64s' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts'", "Host '%-.64s' is not allowed to connect to this MySQL server", diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc index 431f8a13d28..ae83cfef305 100644 --- a/sql/sql_udf.cc +++ b/sql/sql_udf.cc @@ -73,29 +73,49 @@ static HASH udf_hash; static pthread_mutex_t THR_LOCK_udf; -static udf_func *add_udf(char *name, Item_result ret, char *dl, - Item_udftype typ); +static udf_func *add_udf(char *name, Item_result ret, + char *dl, Item_udftype typ); static void del_udf(udf_func *udf); static void *find_udf_dl(const char *dl); - -static void init_syms(udf_func *tmp) +static char *init_syms(udf_func *tmp, char *nm) { - char nm[MAX_FIELD_NAME+16],*end; + char *end; + + if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name)))) + return tmp->name; - tmp->func = dlsym(tmp->dlhandle, tmp->name); end=strmov(nm,tmp->name); - (void) strmov(end,"_init"); - tmp->func_init = dlsym(tmp->dlhandle, nm); - (void) strmov(end,"_deinit"); - tmp->func_deinit = dlsym(tmp->dlhandle, nm); + if (tmp->type == UDFTYPE_AGGREGATE) { - (void)strmov( end, "_reset" ); - tmp->func_reset = dlsym( tmp->dlhandle, nm ); - (void)strmov( end, "_add" ); - tmp->func_add = dlsym( tmp->dlhandle, nm ); + (void)strmov(end, "_reset"); + if (!((tmp->func_reset= dlsym(tmp->dlhandle, nm)))) + return nm; + (void)strmov(end, "_add"); + if (!((tmp->func_add= dlsym(tmp->dlhandle, nm)))) + return nm; + } + + (void) strmov(end,"_deinit"); + tmp->func_deinit= dlsym(tmp->dlhandle, nm); + + (void) strmov(end,"_init"); + tmp->func_init= dlsym(tmp->dlhandle, nm); + + /* + to prefent loading "udf" from, e.g. libc.so + let's ensure that at least one auxiliary symbol is defined + */ + if (!tmp->func_init && !tmp->func_deinit && tmp->type != UDFTYPE_AGGREGATE) + { + if (opt_allow_suspicious_udfs) + sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), nm); + else + return nm; } + + return 0; } extern "C" byte* get_hash_key(const byte *buff,uint *length, @@ -107,7 +127,7 @@ extern "C" byte* get_hash_key(const byte *buff,uint *length, } /* -** Read all predeclared functions from func@mysql and accept all that +** Read all predeclared functions from mysql.func and accept all that ** can be used. */ @@ -149,7 +169,7 @@ void udf_init() if (open_and_lock_tables(new_thd, &tables)) { DBUG_PRINT("error",("Can't open udf table")); - sql_print_error("Can't open the mysql/func table. Please run the mysql_install_db script to create it."); + sql_print_error("Can't open the mysql.func table. Please run the mysql_install_db script to create it."); goto end; } @@ -165,10 +185,22 @@ void udf_init() if (table->fields >= 4) // New func table udftype=(Item_udftype) table->field[3]->val_int(); + /* + Ensure that the .dll doesn't have a path + This is done to ensure that only approved dll from the system + directories are used (to make this even remotely secure). + */ + if (strchr(dl_name, '/') || strlen(name) > NAME_LEN) + { + sql_print_error("Invalid row in mysql.func table for function '%.64s'", + name); + continue; + } + if (!(tmp = add_udf(name,(Item_result) table->field[1]->val_int(), dl_name, udftype))) { - sql_print_error("Can't alloc memory for udf function: name"); + sql_print_error("Can't alloc memory for udf function: '%.64s'", name); continue; } @@ -186,13 +218,15 @@ void udf_init() new_dl=1; } tmp->dlhandle = dl; - init_syms(tmp); - if (!tmp->func) { - sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), name); - del_udf(tmp); - if (new_dl) - dlclose(dl); + char buf[MAX_FIELD_NAME+16], *missing; + if ((missing= init_syms(tmp, buf))) + { + sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing); + del_udf(tmp); + if (new_dl) + dlclose(dl); + } } } if (error > 0) @@ -234,7 +268,7 @@ void udf_free() { initialized= 0; pthread_mutex_destroy(&THR_LOCK_udf); - } + } DBUG_VOID_RETURN; } @@ -398,13 +432,15 @@ int mysql_create_function(THD *thd,udf_func *udf) new_dl=1; } udf->dlhandle=dl; - init_syms(udf); - - if (udf->func == NULL) { - net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, udf->name); - goto err; + char buf[MAX_FIELD_NAME+16], *missing; + if ((missing= init_syms(udf, buf))) + { + net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, missing); + goto err; + } } + udf->name=strdup_root(&mem,udf->name); udf->dl=strdup_root(&mem,udf->dl); if (!(u_d=add_udf(udf->name,udf->returns,udf->dl,udf->type))) @@ -419,7 +455,7 @@ int mysql_create_function(THD *thd,udf_func *udf) u_d->func_reset=udf->func_reset; u_d->func_add=udf->func_add; - /* create entry in mysql/func table */ + /* create entry in mysql.func table */ bzero((char*) &tables,sizeof(tables)); tables.db= (char*) "mysql"; @@ -439,7 +475,7 @@ int mysql_create_function(THD *thd,udf_func *udf) close_thread_tables(thd); if (error) { - net_printf(&thd->net, ER_ERROR_ON_WRITE, "func@mysql",error); + net_printf(&thd->net, ER_ERROR_ON_WRITE, "mysql.func",error); del_udf(u_d); goto err; } diff --git a/sql/table.cc b/sql/table.cc index 43ac122c7f3..8ce6362e63c 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -1048,6 +1048,10 @@ File create_frm(register my_string name, uint reclength, uchar *fileinfo, uint key_length; ulong length; char fill[IO_SIZE]; + int create_flags= O_RDWR | O_TRUNC; + + if (create_info->options & HA_LEX_CREATE_TMP_TABLE) + create_flags|= O_EXCL | O_NOFOLLOW; #if SIZEOF_OFF_T > 4 /* Fix this in MySQL 4.0; The current limit is 4G rows (QQ) */ @@ -1062,7 +1066,7 @@ File create_frm(register my_string name, uint reclength, uchar *fileinfo, */ set_if_smaller(create_info->raid_chunks, 255); - if ((file=my_create(name,CREATE_MODE,O_RDWR | O_TRUNC,MYF(MY_WME))) >= 0) + if ((file= my_create(name, CREATE_MODE, create_flags, MYF(MY_WME))) >= 0) { bzero((char*) fileinfo,64); fileinfo[0]=(uchar) 254; fileinfo[1]= 1; fileinfo[2]= FRM_VER+1; // Header |